IPA server upgrade fails with KDC error
by Johannes Brandstetter
Hi,
I'm trying to upgrade FreeIPA through ipa-server-upgrade from 4.4 to 4.5. The command fails with an "ACIError: Insufficient access:" . I find in the kdc log that it complains about " Database module does not match KDC version - while initializing database for realm..."
Does anybody know how to fix this?
Some more info:
$ cat /etc/redhat-release
CentOS Linux release 7.4.1708 (Core)
$ tail /var/log/krb5kdc.log
krb5kdc: Server error - while fetching master key K/M for realm XXX
krb5kdc: Database module does not match KDC version - while initializing database for realm XXX
$ sudo less /var/log/ipaupgrade.log
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Saving StateFile to '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-10-16T13:04:13Z DEBUG duration: 0 seconds
2017-10-16T13:04:13Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
2017-10-16T13:04:14Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 46, in run
server.upgrade()
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 1896, in upgrade
data_upgrade.create_instance()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 124, in create_instance
runtime=90)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 504, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 494, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py", line 96, in __start
api.Backend.ldap2.connect()
File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 66, in connect
conn = self.create_connection(*args, **kw)
File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py", line 190, in create_connection
client_controls=clientctrls)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1111, in external_bind
'', auth_tokens, server_controls, client_controls)
File "/usr/lib64/python2.7/contextlib.py", line 35, in __exit__
self.gen.throw(type, value, traceback)
File "/usr/lib/python2.7/site-packages/ipapython/ipaldap.py", line 1007, in error_handler
raise errors.ACIError(info=info)
2017-10-16T13:04:14Z DEBUG The ipa-server-upgrade command failed, exception: ACIError: Insufficient access:
2017-10-16T13:04:14Z ERROR Insufficient access:
2017-10-16T13:04:14Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
$ sudo less /var/log/yum.log
Oct 16 05:36:02 Updated: ipa-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:02 Updated: ipa-client-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:25 Updated: libipa_hbac-1.15.2-50.el7_4.2.x86_64
Oct 16 05:36:53 Updated: python-libipa_hbac-1.15.2-50.el7_4.2.x86_64
Oct 16 05:36:55 Updated: python2-ipalib-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:36:55 Updated: python2-ipaclient-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:37:23 Updated: ipa-python-compat-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:43 Updated: ipa-server-common-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:44 Updated: python2-ipaserver-4.5.0-21.el7.centos.1.2.noarch
Oct 16 05:38:44 Updated: sssd-ipa-1.15.2-50.el7_4.2.x86_64
Oct 16 05:39:01 Installed: ipa-client-4.5.0-21.el7.centos.1.2.x86_64
Oct 16 05:39:28 Updated: ipsilon-tools-ipa-2.0.2-5.el7.centos.noarch
Oct 16 05:39:29 Updated: ipa-server-4.5.0-21.el7.centos.1.2.x86_64
Oct 16 05:40:48 Erased: ipa-admintools-4.4.0-14.el7.centos.7.noarch
Oct 16 05:19:30 Updated: krb5-libs-1.15.1-8.el7.x86_64
Oct 16 05:19:30 Updated: krb5-workstation-1.15.1-8.el7.x86_64
Oct 16 05:19:31 Updated: krb5-server-1.15.1-8.el7.x86_64
Oct 16 05:19:31 Updated: krb5-pkinit-1.15.1-8.el7.x86_64
Oct 16 05:38:22 Updated: sssd-krb5-common-1.15.2-50.el7_4.2.x86_64
Oct 16 05:38:57 Updated: sssd-krb5-1.15.2-50.el7_4.2.x86_64
Cheers,
Johannes
5 years
Migration from Test to Production
by Ronald Wimmer
Hi,
we have been evaluating FreeIPA for quite a while now on our test setup
(1 IPA server, 1 Replica) and are planning to move towards production.
Can the whole setup be migrated from an ipa test to an ipa production
server? (the ipa 'linux.ourdomain.at' domain should stay the same) Or
would it be easier to use both test servers for production (and just
adding additional replicas)?
Cheers,
Ronald
5 years
Info - cli - Powershell module for FreeIPA published and available on GitHub
by Lucas Cueff
Hello FreeIPA world,
First thanks for this great product, I was looking for an Active Directory 'clone' for the opensource world and I have successfully tested and deployed a FreeIPA infra, thanks to your great job guys !
Because I am also a Windows admin sys working from Windows platform, I wanted to keep PowerShell as my main shell and script platform. I have started to port the Python cli in a Powershell module.
For the Powershell user, my work is available at : https://github.com/MS-LUF/Manage-FreeIPA
Currently, the APIs already implemented in the v0.1 are :
config_mod
config_show
env
group_add
group_add_member
group_del
group_find
group_mod
group_remove_member
group_show
Host_add
Host_del
Host_mod
Host_show
passwd
permission_add
permission_add_member
permission_add_Noaci
permission_find
permission_mod
permission_remove_member
permission_show
privilege_add
privilege_add_member
privilege_add_permission
privilege_del
privilege_find
privilege_mod
privilege_remove_member
privilege_remove_permission
privilege_show
role_add
role_add_member
role_add_privilege
role_del
role_find
role_mod
role_remove_member
role_remove_privilege
role_show
sessionlogout
user_add
user_del
user_disable
user_Enable
user_find
user_mod
user_show
user_status
user_unlock
host_find
More, to come soon.
@+
Luf35
5 years
Re: ipa.service "fails" to start
by Florence Blanc-Renaud
On 10/19/18 6:49 AM, Z D via FreeIPA-users wrote:
> Hi there,
>
> This is el7.3 running ipa-server 4.4.0 release 12.0.1.el7.
>
> After reboot I couldn't start ipa service via systemctl, hence I run
> "ipactl start --ignore-service-failures" and this was kind of
> successful. I still have some discrepancies, and looking for
> troubleshooting ideas.
>
> 1. "systemctl status ipa.service" reads that service failed
> 2. "systemctl status pki-tomcatd.target" reads that PKI Tomcat Server
> is running.
Hi,
The PKI service status can be found using "systemctl status
pki-tomcatd(a)pki-tomcat.service".
More details on the differences between targets and units can be found
in the man pages for systemd.unit(5) and systemd.target(5).
> 3.
> # ipactl status
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> ipa_memcached Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> ntpd Service: RUNNING
> pki-tomcatd Service: STOPPED <---- !!
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
To troubleshoot, you can have a look at the output of
# systemctl status pki-tomcatd(a)pki-tomcat.service
and the logs in /var/log/pki/pki-tomcat/ca/debug.
I would start by checking if some certificates expired with getcert list
(check the status, should be MONITORING, and the expires: <date>).
HTH,
flo
>
> Well, why pki-tomcatd reads 'stopped' and how to make systemctl to
> recognize that ipa service is running, thanks in advance,
>
> Zarko
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
5 years
sftp file broswer causes 4 (System Error)
by Aaron Hicks
Hello the list,
We just had a bit of fuss involved user logins. We're using sssd 1.16.1 on a
client and FreeIPA 4.5.4 (ok, it's really RHIdM)
We had a lot of users having issues logging and/or resetting their passwords
on a host with 2FA enabled, and it turns out when they're using an advanced
SSH client (e.g. MobaXterm) that also starts a SFTP session they can't login
and we see error like:
Sep 11 00:09:05 lander sshd[27408]: pam_sss(sshd:auth): received for user
testuser: 4 (System error)
Sep 11 00:09:06 lander sshd[27380]: error: PAM: Authentication failure for
testuser from remote.local
If the SFTP file browser is disabled, or it's protocol is set to use SCP
then logins progress normally.
In FreeIPA we've enabled 2FA on a per-host basis and the HBAC rule only
allows sshd services, so if these were the cause of the '4 (System error)'
failures then it'd be much better if the error reports were more meaningful.
Does anyone have any advice on setting up SFTP so that it works (and
ideally, doesn't need repeated entry of credentials).
Regards,
Aaron
5 years
Contribute to a HowTO
by Peter Tselios
Hello,
I have a relatively easy HowTo for Integrating Grafana with FreeIPA as an Authentication Back-end.
So, can you please allow my account write access to the Wiki?
5 years
replication sync issues
by Grant Janssen
I have these errors in the syslog of the primary, the syslog on the secondary is clean.
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.104092627 -0700] agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" (ef-idm02:389) - Can't locate CSN 5afd9651000200600000 in the changelog (DB rc=-30988). If replication stops, the consumer may need to be reinitialized.
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.105088278 -0700] NSMMReplicationPlugin - changelog program - agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" (ef-idm02:389): CSN 5afd9651000200600000 not found, we aren't as up to date, or we purged
Oct 30 09:41:59 ef-idm01 ns-slapd: [30/Oct/2018:09:41:59.105750108 -0700] NSMMReplicationPlugin - agmt="cn=masterAgreement1-ef-idm02.production.efilm.com-pki-tomcat" (ef-idm02:389): Data required to update replica has been purged from the changelog. The replica must be reinitialized.
I initiated a resync, but the errors continue to pile up on the primary.
grant@ef-idm02:~[20181030-9:36][#115]$ ipa-replica-manage force-sync --from ef-idm01.production.efilm.com
Directory Manager password: ********
ipa: INFO: Setting agreement cn=meToef-idm02.production.efilm.com,cn=replica,cn=dc\=production\,dc\=efilm\,dc\=com,cn=mapping tree,cn=config schedule to 2358-2359 0 to force synch
ipa: INFO: Deleting schedule 2358-2359 0 from agreement cn=meToef-idm02.production.efilm.com,cn=replica,cn=dc\=production\,dc\=efilm\,dc\=com,cn=mapping tree,cn=config
grant@ef-idm02:~[20181030-9:37][#116]$
thanx
- grant
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
5 years
certmonger Error 77 Problem with the SSL CA cert
by Kees Bakker
Hi,
We have FreeIPA running on Ubuntu 16.04 since about two years
now. For the last few day we see these messages in the log
Oct 22 17:32:14 ipasrv certmonger[1813]: 2018-10-22 17:32:14 [1813] Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3
Where should I start looking to recover from this?
--
Kees
5 years
Deployment without CA
by Henrik Johansson
Hello,
I am looking at using FreeIPA without CA, using external signed certificates, reading the documentations it looks possible using —dirsrv-certfile, —http-cert-file and —point-certfile. Should I just create a CSR for the hostname by by hand and get it signed? Also is there any good reason for having different certs for http, ldap and pkinit? Can I just use one certificate for all services and for all servers and replicas using Subject Alternative Names?
Regards
Henrik
5 years
